“Victim machines are monetized using a variety of methods, relying on internet trends such as digital currencies and traffic redirection,” Gaurdicore Labs said in a post about the campaign, on Wednesday.“Traffic monetization frauds are quite common and are based on redirecting website visitors from their legitimate destination to websites advertising malicious browser extensions, tech support scam services, fake services and more.”

Guardicore researchers Ofri Ziv and Daniel Goldberg said they first discovered the campaign on April 4, when they noticed a group of SSH attacks communicating with a C&C server using GuardiCore deception technology.

“These attackers are sophisticated and efficient back-end engineers,” Goldberg told Threatpost in an interview. “They’re not using sophisticated attacks, nor is their worm special, but their command-and-control is lean, efficient and hard to trace.”

The researchers told Threatpost that they estimate that the attackers have been operational since early 2018, according to compile times and different log files.

These attacks all behaved in the same fashion, communicating with the same C&C server to download a number of attack tools collectively named r2r2 (written in Golang), across several networks in different countries,along with a cryptocurrency miner.

“Over a period of three weeks, we captured dozens of such attacks per day coming from over 180 IPs from a variety of countries and organizations,” the researchers said. “These attacks led us to investigate the attackers’ infrastructure and discover a wide-ranging operation attacking multiple services.”

Upon further investigation, the researchers found that Operation Prowli was compromising a raft of victims – from financial to state and local governments – and targeting servers via open SSH ports,CMS servers hosting popular websites and insecure IoT devices.

“We believe the majority of their income is through traffic-hijacking, because it’s a consistent source that’s easy to monetise,” Goldberg told Threatpost.

Attack Vector

Interestingly, researchers said that the campaign operators tout a toolbox with a variety of attack methods to fit their needs – so different types of attacks are based on a mix of known vulnerabilities and credential-guessing.

Machines running SSH, for instance, are hacked by a self-propagating worm spread by brute-force credential-guessing. The victim machines will then download and run a cryptocurrency miner.

The attackers infect other victims – such as servers running HP Data Protector exposed to the internet (over port 5555), or WordPress installations – through exploiting old vulnerabilities (in the case of HP Data Protector, the glitch, CVE-2014-2623, is used to execute commands with system privileges).

Once the binary breaks in and infects machines, it runs a series of commands to download files from a hard-coded server. That includes multiple copies of the worm for different CPU architectures (x86, ARM and MIPS), and a cryptocurrency miner and configuration file.

“The attackers’ attack tools report to a C&C server running under the domain name wp.startreceive[.]tk. This Joomla! server is a compromised server, which the attackers reuse to track their malware, collect information from the ever-growing victims list and also serve different payloads to compromised machines,” the researchers said.

Victim data from various targeted services is stored in a log file – including login credentials from WordPress admin panels and SSH,UELs exposing vulnerable config panels from DSL modems and more.

In addition to varying infection methods, the attackers behind Operation Prowli use different payloads for each of their targets.

“While ‘patch your servers and use strong passwords’ may sound trivial, we know that ‘in real life’ things are much more complicated,” the firm said. “Alternatives include locking down systems and segmenting vulnerable or hard to secure systems, to separate them from the rest of your network.”